Re: [j-nsp] what is different sd-syslog and syslog format ?
sorry should be triple not Truppe— Sent from Mailbox for iPhone On Thu, Apr 17, 2014 at 11:05 AM, Klaus Groeger kla...@gmail.com wrote: Hi sd-format is Truppe size :) Syllog format is comma delimited postion defiened, SD format is always parameter=value like this: , destibation-address=123.234.211.1, destination-port=25, etc. Klauzi — Sent from Mailbox for iPhone On Thu, Apr 17, 2014 at 9:55 AM, bruno bruno.juni...@gmail.com wrote: Hi guys, what is different sd-syslog and syslog format on srx? thx. -- Best Regards, Bruno ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] what is different sd-syslog and syslog format ?
Hi sd-format is Truppe size :) Syllog format is comma delimited postion defiened, SD format is always parameter=value like this: , destibation-address=123.234.211.1, destination-port=25, etc. Klauzi — Sent from Mailbox for iPhone On Thu, Apr 17, 2014 at 9:55 AM, bruno bruno.juni...@gmail.com wrote: Hi guys, what is different sd-syslog and syslog format on srx? thx. -- Best Regards, Bruno ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Are IRB interfaces still not functional under SRX?
On SRX branches one configures : interfaces { vlan { unit 123 { family inet { address 192.168.123.1/24 } } } ge-0/0/0 { unit 0 { family ethernet-switching vlan { members 123 } } } } } vlan { onetwothree { vlan-id 123 l3-interface vlan.123 } } On SRX IRBs are called RVIs (Routed VLAN Interfaces). This way one gets interfaces configured as switching interfaces with a routable address. You may apply most L2 options in branch SRX as needed, even LAGs and all the other stuff. Regards, Klaus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX240 and SRX550 Web Filtering Capacity
There are only internal performance informations, confidential. Try to fetch a Juniper SE, who can provide you with the relevant info. — Sent from Mailbox for iPhone ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Policy-based IPSec tunnel and static routing
In policy based VPN just rely on default route, witch points out the interface and zone where the VPN's outgoing interface resides. The packets have to hit the policy between the internal and external zone, then are injected to the VPN. No additional route is needed. Klaus — Sent from Mailbox for iPhone On Thu, Nov 21, 2013 at 4:29 PM, Per Westerlund p...@westerlund.se wrote: Sorry, no automatic route-injection with SRX and policy-based IPsec VPN. The traffic has to be made to hit the security policy rules that allows the tunnel traffic, and that is normally manually. /Per 21 nov 2013 kl. 16:17 skrev Michael Hallgren m.hallg...@free.fr: Hi, I ran into the following: In a pretty much standard setup of a policy-based IPSec VPN between a SRX and a cisco ASA, pinging destination behind the SRX worked just fine from behind the ASA, the other way around didn't. Had few static routes set, among them a 0/0 pointing in the direction of the ASA, and a 10/8 pointing at SRX customers. The host behind the ASA, that I couldn't ping was in 10/24, say. Adding a static route 10/24 pointing at the ASA (not at the tunnel endpoint), fixed the flow from SRX to ASA. Was under the impression that policy-based setup is supposed to handle static route injection auto-magically. What am I missing? Cheers, mh ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Source NAT internal users to two or more public IPs
Sry, wrong link, here's the correct one http://www.juniper.net/techpubs/software/junos-security/junos-security96/junos-security-swconfig-security/configuring-persistent-address-pool-example.html#configuring-persistent-address-pool-example — Sent from Mailbox for iPhone On Fri, Jul 19, 2013 at 7:08 AM, William McLendon wimcl...@gmail.com wrote: hi all, We have an issue where we have enough internal users and sessions using the general outbound NAT that we are hitting the session limit for the single public IP due to running out of ports. (really its due to how Source NAT is carved up on an HA pair…see http://kb.juniper.net/KB14958 ) However I think if just add additional IPs to NAT the users to, it may end up breaking some applications as they establish a new outbound session from clicking a URL or something, but that session gets NAT'd to the other IP that the far side is not expecting to see it from. I think ScreenOS had something called Sticky DIP that could help mitigate this where for some NAT Timer, any session initiated by an IP address would always be NAT'd to the same public IP -- does SRX have a similar feature? If not, I think my only other option then would be to carve up the internal networks, ie 10.10.10/24 NATs to public IP A, and 11.11.11.0/24 NATs to public IP B, etc. which is probably ok, but can get a little cumbersome. Or if anyone knows another way please share :) Thanks, Will ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX2200 Series
You need the EFL (Enhanched Deature License) to run OSPF v1/v2 on 2200, and yes, it only supports four interfaces. Don't know if an aggregated IF (ae0 LAG) counts as one. Link: http://www.juniper.net/techpubs/en_US/junos11.4/Tonics/concept/ex-series-software-licenses-overview.html Regards Klaus — Sent from Mailbox for iPhone On Mo., Jul 1, 2013 at 16:50, Paulhamus, Jon jpaulha...@iu17.org=mailto:jpaulha...@iu17.org; wrote: Yes - it's usable with the AFL license, but I'm pretty sure on the EX2200, it only allows 4 interfaces to participate in OSPF. From: Bill Blackford [mailto:bblackf...@gmail.com] Sent: Thursday, June 27, 2013 8:19 PM To: Paulhamus, Jon Cc: Doug McIntyre; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] EX2200 Series Any features specifically that you're curios about? Has anyone done/used the VC feature? How stable is it? Does it function in a similar manner to that of the EX4200's? How do they handle the loss of a member? These will be closet stacks, so little need for any L3 functionality. However, in the event I bring L3 down to the access layer, is the OSPF implementation usable? (my experience has been on 3200/4200's primarily). I believe I read something about limitations. On Thu, Jun 27, 2013 at 4:34 PM, Paulhamus, Jon jpaulha...@iu17.orgmailto:jpaulha...@iu17.org wrote: We have well approximately 75 of the 2200's and closer to 250 of the 4200's / 4500's either standalone or in VC. A few bugs along the way with earlier code - but now we've stuck with 11.4R5.7 code and all is well. I've mixed the 2200's with mostly Cisco, and 3com / HP and have had no issues with compatibility other than a few gotchas with VLAN pruning on the Cisco's that we easily accounted for. For what it's worth, we also use SRX's combined with Cisco routers and firewalls for VPN's as well without any issues. Any features specifically that you're curios about? From: Doug McIntyre [mer...@geeks.orgmailto:mer...@geeks.org] Sent: Thursday, June 27, 2013 6:47 PM To: juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net Subject: Re: [j-nsp] EX2200 Series On Thu, Jun 27, 2013 at 03:09:16PM -0700, Bill Blackford wrote: I am interested in hearing any feedback about the EX2200. In particular, anyone who has done a recent enterprise deployment in a converged and in particular, a mixed vendor environment. I've used the EX2200's, and aside from the limited features compared to the rest of the EX line, they operate exactly the same, just missing a couple things that are mentioned in the datasheets. Although they recently (12.x) brought Virtual Chassis to it, I haven't done that yet. As to mixed vendor, you'd have to state what protocols you are expecting in a mixed vendor? They do STP and RSTP just fine. They won't do cisco proprietary protocols, such as CDP or VDP. They have standards based proprotocols that are equivilent. I've done OSPF and BGP (still accounting for all switches have limited BGP route space) with no issues. Overall, I've had much less problems with the Juniper switches (aside from some bad releases, especially on the EX4550 line) than my cisco switches all around. I have had some wonkiness getting especially old cisco software talking, but the problem has always been on the cisco side. Usually upgrading the cisco to newer code solved their bugs (ie. LACP). ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.netmailto:juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- Bill Blackford Logged into reality and abusing my sudo privileges. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX to vshield lan2lan
Did you assign the st0.x interface to a zone? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX to vshield lan2lan
Hi usually it's the missmatching PSK which generates this message. Klaus — Sent from Mailbox for iPhone On Thu, Jun 20, 2013 at 6:39 PM, bizza biz...@gmail.com wrote: Hi all, does anyone has setup a lan to lan ipsec vpn between juniper srx and vmware vshield? I tried various configuration, but I still have some problems. [...] root@srx210h-fw1# show ike proposal 1 { authentication-method pre-shared-keys; authentication-algorithm sha-256; encryption-algorithm aes-256-cbc; } proposal 2 { authentication-method pre-shared-keys; authentication-algorithm md5; encryption-algorithm 3des-cbc; } proposal 3 { authentication-method pre-shared-keys; authentication-algorithm md5; encryption-algorithm aes-256-cbc; } proposal 4 { authentication-method pre-shared-keys; authentication-algorithm sha-256; encryption-algorithm 3des-cbc; } proposal 5 { authentication-method pre-shared-keys; authentication-algorithm sha1; encryption-algorithm aes-256-cbc; } policy ike_pol_lan_to_remote { mode main; proposals [ 1 2 3 4 5 ]; pre-shared-key ascii-text xxx; ## SECRET-DATA } gateway gw_lan_to_remote { ike-policy ike_pol_lan_to_remote; address x.y.w.z; local-identity inet my.ip.add.res; external-interface reth2.0; } [...] root@srx210h-fw1# show ipsec policy ipsec_pol_lan_to_remote { proposal-set compatible; } vpn lan_to_remote { bind-interface st0.0; ike { gateway gw_lan_to_remote; ipsec-policy ipsec_pol_lan_to_remote; } establish-tunnels immediately; } In /var/log/kmd i found Jun 20 18:25:50 IKEv1 Error : Payload malformed Jun 20 18:26:50 IKEv1 Error : Payload malformed Jun 20 18:27:50 IKEv1 Error : Payload malformed Jun 20 18:28:50 IKEv1 Error : Payload malformed Jun 20 18:29:50 IKEv1 Error : Payload malformed Jun 20 18:30:50 IKEv1 Error : Payload malformed Jun 20 18:31:50 IKEv1 Error : Payload malformed Any help? Regards bizza ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Inter-racks switch routing recommended practice
Edward, AFAIK one needs EFL to run AFL not vice versa: http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/ex-series-software-licenses-overview.html Regards Klaus ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] OSPF OID reply
Hi. looks like the OID is a trap that could be sent by Juniper devices. I would say, if one sends a trap like this towards a Juniper device, the target will not react in any way. http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-network-mgm/standard-snmpv1-traps-junos-nm.html Klaus — ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Srx 240 ipsec site to site
Hi you may not resolve the issue with auto vpn, because the main problem is: both sites are assigned the IPs dynamically - via dhcp or whatever. If both sites do not know the peer's IP address, they cannot establish a tunnel. In ScreenOS, one has the option to use hostname instead of an IP address, the system makes a name lookup and connects to the resolved address. This isn't possible with SRX, because the hostname is resolved during configuration and the IP address will be naild down in the config. Even if you use aggressive mode, one site has to be a fixed IP address! Regards Klaus — Sent from Mailbox for iPhone On So., Mai 12, 2013 at 20:58, Misha Gzirishvili misha.gzirishv...@gmail.com=mailto:misha.gzirishv...@gmail.com; wrote: Hi Aji, Take a look at AutoVPN. Some links about it: ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Srx 240 ipsec site to site
Hi, have to check if using a hostname as peer address works with 12.1x44. But in 11.4 it is not possible. As soon as one used a hostname as peer address the SRX resolves the IP address and puts it in the config. Still waiting for all the neat little features, that made ScreenOS such a strong system Klaus — Sent from Mailbox for iPhone On Tue, May 7, 2013 at 10:59 AM, Martin, Paul paul.mar...@mdnx.com wrote: Morning, Cisco have a DMVPN solution for this, I believe the equivalent juniper solution can be seen at the following link http://kb.juniper.net/kb/documents/public/junos_es/JUNOS_ES_Multipoint_VPN_with_NHTB.pdf It's worth noting that this is a few years old now so it's likely to have been superseded by something else. Regards Paul -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Nc Aji Sent: 07 May 2013 05:14 To: juniper-nsp@puck.nether.net Subject: [j-nsp] Srx 240 ipsec site to site Dear Group, I have a small customer requiring a VPN between two of the sites, One site is so remote where in we have only 3g internet connection available. other site which is considered to be the main site is having internet over an ADSL link . In essence both sides are getting dynamic IP address , can i have a site to site vpn in this situation ? Does SRX support dyndns feature ? can I use it for establishing site to site vpn ? if not what is the other option to suggest to customer ? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] J/SRX ICMP handling
Hi Dale just give set security flow allow-icmp-without-flow a try Regards Klaus — Sent from Mailbox for iPhone On Thu, Apr 25, 2013 at 7:35 AM, Dale Shaw dale.shaw+j-...@gmail.com wrote: Hi all, This post relates to a previous post of mine on asymmetrically routed UDP traffic: https://puck.nether.net/pipermail/juniper-nsp/2012-December/024878.html It seems as though a J/SRX in flow mode will drop ICMP packets such as unreachable and ttl-exceeded if, after consulting the session table, an entry corresponding to the header embedded in the ICMP packet is not found. In other words, I'm gonna drop any ICMP packets[1] I see if I didn't handle the associated conversation. Assume I send a UDP packet between hosts A and D and it's routed outbound via SRX B, and for whatever reason an ICMP unreachable or ttl-exceeded is generated (think traceroute). If that ICMP packet is sent towards host D not via SRX B but via SRX C, SRX C drops it: (src/dst IPs replaced with A and D) Jan 23 14:53:45 14:53:44.938394:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: st0.1033:D-A, icmp, (3/3) Jan 23 14:53:45 14:53:44.938424:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: find flow: table 0x63ce7688, hash 494060(0x7), sa D, da A, sp 33438, dp 47488, proto 17, tok 7 Jan 23 14:53:45 14:53:44.938483:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: packet dropped, no session found for embedded icmp pak Jan 23 14:53:45 14:53:44.938495:CID-00:FPC-11:PIC-01:THREAD_ID-27:RT: flow find session returns error. Seems like perfectly reasonable behaviour for a firewall, right? Right, except when it's not :-) Can this behaviour be modified without fully or selectively running in packet mode? I'm running JUNOS 10.4R11. Cheers, Dale [1] Well, any ICMP packets that include a copy of the original datagram's header: echo request/reply are forwarded (subject to being permitted by security policy, of course). ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SNMP on logical-system fxp0
Hi the fxp0 interface is bound to the RE, witch always resides in the first logical system and ist bound to the default routing table or master table, which is inet.0. All route lookups regarding the RE start in inet.0. Just put all your productive interfaces in a separate virtual router and you are done. Klaus --- ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VC-port over Ethernet
Just one word, to double check if i understand you. You would like to form a VC between 3300 and 4500? That won't work. You can only form VC between 3300 or between 45xxx and 4200. Klaus — Sent from Mailbox for iPhone On Mon, Apr 15, 2013 at 9:41 AM, Nick Kritsky nick.krit...@gmail.com wrote: Thanks. Just to clarify - I am actually trying to prevent this from happening. EX-3300 have ports xe-0/1/2 and xe-0/1/3 put in VC-port mode by default. So I wonder if two fresh, brand new EX-3300 can form VC when they are plugged into upstream 4550 using vc-ports. This can explain some strange behavior i was observing recently, but I was too busy fixing it, so I didn't run much tests. I plan to setup small lab for that. I will let you know of the outcome. nick On Sun, Apr 14, 2013 at 4:33 PM, Klaus Groeger kla...@gmail.com wrote: Hi I would recommend Q-in-Q on the intermediate switch. I have seen 4550 VC spanning over metro erhernet, so this should work for 3300 also. Regards Klauzi — Sent from Mailbox https://bit.ly/SZvoJe for iPhone On Sat, Apr 13, 2013 at 9:21 PM, Nick Kritsky nick.krit...@gmail.comwrote: Dear J-NSP, Can anyone confirm/deny if two EX3300 can form virtual-chassis when their vc-ports are connected via third switch? thanks nick ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VC-port over Ethernet
Hi I would recommend Q-in-Q on the intermediate switch. I have seen 4550 VC spanning over metro erhernet, so this should work for 3300 also. Regards Klauzi — Sent from Mailbox for iPhone On Sat, Apr 13, 2013 at 9:21 PM, Nick Kritsky nick.krit...@gmail.com wrote: Dear J-NSP, Can anyone confirm/deny if two EX3300 can form virtual-chassis when their vc-ports are connected via third switch? thanks nick ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp